I consider it acceptable for someone poking around in my javascript to break their instance of the application, so client-side security need only go as far as the app not breaking in normal use. The server must enforce correct access control and validation for all calls even if the client side also implements it. Any business logic in client-side JS is subject to inspecting and tampering, regardless of style or framework used, so treat it as just user-experience sugar on top of your secure API calls.